Improved Impossible Differential Cryptanalysis of Rijndael and Crypton
|
|
- Melissa Goodman
- 5 years ago
- Views:
Transcription
1 Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University, Korea {jhcheon,kkj,bushman}@icu.ac.kr 2 Mathematics Department, Brown University, USA mjkim@math.brown.edu 3 Korea Information Security Agency, Korea swkang@kisa.or.kr Abstract. Impossible differential attacks against Rijndael and Crypton have been proposed up to 5-round. In this paper we expand the impossible differential attacks to 6-round. Although we use the same 4-round impossible differential as in five round attacks, we put this impossible differential in the middle of 6-round. That is, we will consider one round before the impossible differential and one more round after. The complexity of the proposed attack is bigger than that of the Square attack, but still less than that of the exhaustive search. 1 Introduction The ciphers Rijndael [6] and Crypton [7] were submitted to the AES (Advanced Encryption Standard) candidates and Rijndael was later selected as the AES [1]. Both of them are based on the Square cipher [5] and so have SPN (Substitution-Permutation Network) structure. The original design of Square cipher concentrates on the resistance against differential and linear cryptanalysis. So it s known that two ciphers have the resistance against those attacks. Although these ciphers have those merits, they have a weakness which results from the characteristic of the optimal linear layer. The known attacks against each cipher, using this weakness, are impossible differential attack [3,9] and Square attack [3,4], which were described by the designers of the Square cipher. These attacks are chosen plaintext attacks and are independent of the specific choice of Sbox, the multiplication polynomial of MixColumn, and the key schedule. They are only related to the characteristic of the linear layer. That is the branch number which is introduced by the designers to explain the diffusion power. Definition 1 (branch number). Let W ( ) be the byte weight function. The branch number of a linear transformation F : Z 2 8 Z 2 8 is min a 0,a Z2 8(W (a)+w (F (a))). K. Kim (Ed.): ICICS 2001, LNCS 2288, pp , c Springer-Verlag Berlin Heidelberg 2002
2 40 Jung Hee Cheon et al. This branch number makes the following property for each cipher. Rijndael: Rijndael has a branch number 5, that is, if a state is applied with a single nonzero byte, the output has 4 nonzero bytes. Crypton: Crypton has a branch number 4 (designer refers this as diffusion order), namely, if a state is applied with a single nonzero byte, the output has 3 nonzero bytes Next, each attack is described as the following: 1. Square attack Using the above property of branch number, we can deduce the characteristic for the relation of input and output of each cipher reduced to 4 rounds: if two plaintext differ by one byte then before the third MixColumn the data differ by all 16 bytes. It leads to the following interesting properties: Consider a set 256 plaintexts which are equal in all bytes except for one and in this one assume all the possible values. Because of the property the inputs of the third MixColumn assume all 256 possible values in each byte. So the XOR of them in each byte is 0. Since the MixColumn is a linear transformation, this property holds after the MixColumn too. This is the property on which Square attack is based. Here we guess one byte in the round key of the fourth round and decrypt the forth round in the corresponding byte in all of the 256 ciphertexts. We get the 256 inputs of the ByteSubstitution of the fourth round. If the key is right, then XOR of them is equal to 0. Through this way we can derive the forth round key. This attack was extended to Rijndael reduced to 5 and 6 rounds by adding one round in the beginning or in the end or both of them. At recent, this attack succeed to the 7 round Rijndael assuming the whole seventh round key. 2. Impossible differential attack Consider two plaintexts which differ by only one byte. Then, the corresponding ciphertexts of the 4-round variant should differ in the special combinations of bytes. We call those combinations impossible differential. This is the property on which impossible differential attack is based. The 5-round impossible differential attack is briefly introduced as the followings: Let s add one round at the end of the 4-round impossible differential and decrypt one round with assuming the fifth round key. Then, if there appears the impossible differential among them, that is a wrong key. Continuing this process we can find the fifth round key. In this paper, we propose impossible differential attacks against each cipher reduced to six rounds. Our attacks are based on the four round impossible differentials each of which was used in the impossible differential attack against each cipher reduced to five rounds [3,9]. While the previous attacks have one additional round with the four round impossible differential, the proposed method has additional two rounds. In this method, we assume two round keys (the first round key and the last round key) and get rid of all wrong key pairs using the
3 Improved Impossible Differential Cryptanalysis of Rijndael and Crypton 41 impossible differentials. The complexity of the proposed attack is larger than that of the Square attack against each cipher reduced to six rounds, but still less than that of the exhaustive attack. We expect that this method may be applicable to other ciphers with SPN structure. The rest of the paper is organized as follows: The description and 5-round impossible differential attack of Rijndael and Crypton is given in section 2 and 3, respectively. In section 4 we conclude by summarizing the efficiency of our attack together with those of previous works. 2 Rijndael 2.1 Description of Rijndael Rijndael is a block cipher. The length of the block and the length of the key can be specified to be 128, 192 or 256 bits, independently of each other. In this paper we discuss the variant with 128-bit blocks and 128-bit keys. In this variant, the cipher consists of 10 rounds. We represent 128-bit data in 4 4 matrix as in Fig. 1. Column 0 Row Fig. 1. Byte Coordinate of 128-bit Every round except for the last consists of 4 transformation: ByteSubstitution is applied to each byte separately and is a nonlinear bytewise substitution to use the Sbox. ShiftRow is a cyclic shift of the bytes of each row by 0, 1, 2, or 3, respectively. MixColumn is a linear transformation applied to columns of the matrix. The branch number of this layer is 5. AddRoundKey is a key XOR. Before the first round AddRoundKey is performed using the key as the round key. In the last round the MixColumn is omitted. Observe that MixColumn is a linear transformation over four bytes of input differences, since it is a linear transformation over four input bytes. If three bytes
4 42 Jung Hee Cheon et al. of output difference are zero, the choice of input differences is since MC is invertible. Hence the probability that output difference is zero at three bytes is 4 (2 8 1)/2 32 since there are four choices on nonzero byte of output difference and the output difference is not zero for nonzero input difference. Lemma 1. The output of MC (or MC transformation) has zero difference in three bytes with probability about 2 22 over all possible input pairs. This lemma holds even if some values of input differences for fixed bytes are restricted. This lemma will be used when analyzing the complexity of the proposed impossible differential attack. 2.2 Impossible Differential We use the same impossible differential described in [3]. See Fig. 2. SR MC ARK BS SR MC ARK Contradiction! BS SR MC ARK BS SR Fig. 2. Four Rounds Impossible Differential of Rijndael Property 1 (Impossible Differential of Rijndael). Given plaintext pair which are equal at all bytes but one, the ciphertexts after 4-round cannot be equal in any of the following prohibited combinations of bytes: (1,6,11,16), (2,7,12,13), (3,8,9,14), nor (4,5,10,15). This property follows from the property of MixColumn transformation: if two inputs of this transformation differ by one byte then the corresponding outputs differ by all the four bytes.
5 Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Rijndael Reduced to Six Rounds In this subsection, we describe an impossible differential cryptanalysis of Rijndael reduced to six rounds. The attack is based on the four round impossible differential with additional one round at each of the beginning and the end as in Fig. 3. Note that the last round of Rijndael does not have MixColumn transformation before KeyAddition. ARK0 BS SR MC q ARK The 4 Round Impossible Characteristic MC p ARK5 ARK 5 is replaced byark 5 eq BS SR ARK6 Fig. 3. Impossible Attack against Rijndael Reduced to Six Rounds The procedure is as follow: 1. A structure is defined as a set of plaintexts which have certain fixed values in all but the four bytes (1,8,11,14). One structure consists of 2 32 plaintexts and proposes =263 pairs of plaintexts. 2. Take structures ( plaintexts, plaintext pairs). Choose pairs whose ciphertext pairs have zero difference at the row 2 and 3. The expected number of such pairs is = Assume a 64-bit value at the row 0 and 1 of the last round key K For each ciphertext pair (C, C ), compute C 5 = BS SR (C K 6 ) and C 5 = BS SR (C K 6 ) and choose pairs whose difference MC (C 5 C 5 ) is zero at the prohibited four bytes (1,6,11,16), (2,7,12,13), (3,8,9,14) or (4,5,10,15) after the inverse of MC transformation. Since the probability is about p =2 32 4=2 30, the expected number of the remaining pairs is = For a pair (P, P ) with such ciphertext pairs and 32-bit value at the four bytes (1,8,11,14) of the initial key K 0, calculate MC SR(BS(P K 0 ) BS(P K 0 ))
6 44 Jung Hee Cheon et al. Column 0 Row 0 A[3][0] A[3][1] A[3][2] A[3][3] A[2][0] A[2][1] A[2][2] A[2][3] A[1][0] A[1][1] A[1][2] A[1][3] A[0][0] A[0][1] A[0][2] A[0][3] Fig. 4. Byte Coordinate of 128-bit and choose pairs whose difference is zero except only one byte after MC transformation. The probability is about q =2 24 4=2 22 since MC is linear for each byte of input values. 6. Since such a difference is impossible, every key that proposes such a difference is a wrong key. After analyzing ciphertext pairs, there remain only about 2 32 ( ) e wrong values of the four bytes of K Unless the initial assumption on the final round key K 6 is correct, it is expected that we can get rid of the whole 32-bit value of K 0 for each 64-bit value of K 6 since the wrong value (K 0,K 6 ) remains with the probability Hence if there remains a value of K 0, we can assume the key K 6 is a right key. So if we repeat Step 2 through Step 5 after changing the row 2 and 3 into the row 0 and 1, we can get the whole value of K Step 4 requires about (= ) one round operations. Step 5 requires about one round operations since {1+( )+( ) 2 + +( ) } Consequently, since we repeat this procedure two times, this attack requires about chosen plaintexts and encryptions of Rijndael reduced to 6 round. 3 Crypton 3.1 Description of Crypton Crypton is a 128-bit block cipher. We represent 128-bit data in 4 4 matrix as in Fig. 4. The component functions, σ, τ, π, and γ, are as follows. γ is a nonlinear byte-wise substitution. There are two versions of γ: γ o is for odd rounds and γ e is for even rounds. π is a linear bit permutation. It bit-wisely mixes each column (4 bytes). In fact, there are two versions of π: π o in odd rounds and π e in even rounds. One important fact is both versions have the branch number 4 as maps from 4-byte input to 4-byte output [7].
7 Improved Impossible Differential Cryptanalysis of Rijndael and Crypton 45 τ is a linear transposition. It simply moves the byte at A[i][j] to A[j][i]. σ is a key XOR. We will use notation σ K when the given key is K. The 2n-round encryption of Crypton can be described as φ e ρ ek2n ρ ok2n ρ ek2 ρ ek1 σ K0, where ρ oki = σ Ki τ π o γ o for odd rounds and ρ eki = σ Ki τ π e γ e for even rounds, and the linear output transformation φ e = τ π e τ is used at the last round. 3.2 Impossible Differential of Crypton We introduce a four round impossible differential of Crypton. Fig. 5 describes one pattern of impossible differentials. The impossible differentials comes from the following observation. 1. If an input pair has zero difference at a byte, then the output pair after σ, γ, σ,orγ also has zero difference at the byte. 2. If an input pair has zero difference at byte[i][j], then the output pair after τ or τ has zero difference at byte[j][i]. 3. π, the word transformation has the branch number 4 as a map from 4- byte input to 4-byte output. That is, if input pair has only one nonzero difference out of four bytes, then the output difference has at least three nonzero difference. Property 2 (Impossible Differential). Given input pair to τ whose difference is zero at all bytes but one, the output difference after the four round starting with τ and ending with γ cannot be zero at all but two rows in the left two columns. 3.3 An Attack against Crypton Reduced to Six Rounds In this subsection, we describe an impossible differential cryptanalysis on Crypton reduced to 6 rounds. The attack is based on the four round impossible differential. We compose the 6 rounds as in Fig. 6. One thing we need to notice is that we replace the 5th and 6th round key addition σ K5 and σ K6 by σ null which is a key addition with zero key. We can compose the same encryption system by putting σ K eq 5 and σ K eq 6 means the equivalent key i.e. π τ (K) The procedure is as follow: between γ and π of their rounds. Here K eq 1. A structure is defined as a set of plaintexts which have certain fixed values in the column 1, 2, and 3. One structure consists of 2 32 plaintexts and proposes =263 pairs of plaintexts. 2. Take 2 59 structures (2 91 plaintexts, plaintext pairs). Choose plaintext pairs (P, P ) such that the pairs (C 6,C6 ) has zero difference at the row 0 and 1, where C 6 = πe τ σ null τ πe τ (C) and C is a ciphertext of P. The expected number of such pairs is =2 58.
8 46 Jung Hee Cheon et al. τ σ γ π τ σ γ π τ σ Contradiction! γ π τ σ γ Fig. 5. Four Round Impossible Differential of Crypton 3. Assume a 64-bit value of the row 2 and 3 of the last round key K eq For each pair (C 6,C6 ) satisfying Step 2, compute C 5 = γe (C 6 K eq 6 ) and C5 = γe (C6 K eq 6 ) and choose pairs whose difference π o τ (C 5 C5 ) is zero at any two rows. Since the probability is about p = , the expected number of the remaining pairs is = For a pair (P, P ) satisfying Step 4, consider 32-bit values of the first column of K 0 such that π(γ o (P K 0 ) γ o (P K 0 )) is zero at all but one byte of the first column. The probability is q =2 24 4= Since such a difference is impossible, every key that proposes such a difference is a impossible key with the chosen key K eq 6 in Step 3. After analyzing plaintext pairs, there remain only about 2 32 ( ) e possible values for the four bytes of the first column of K 0, which means no possibility. 7. Unless the initial assumption on the final round key K eq 6 is correct, it is expected that we can get rid of the whole 32-bit values of K 0 for each 64-bit value of K eq 6 since the wrong value (K 0,K eq 6 ) remains with the probability = Hence if there remains a value of K 0, we can assume the key K eq 6 is a right key. So if we repeat Step 2 through Step 6 after changing the row 0 and 1 with the row 2 and 3, we can get the whole value of K eq 6.
9 Improved Impossible Differential Cryptanalysis of Rijndael and Crypton 47 σ K γ π 0 o p o Impossible Differential σ γ π τ K o q o σ null σ γ K6 e π r e τ σ null τ π e τ Fig. 6. Impossible Attack against Crypton Reduced to Six Rounds 8. Step 2 requires about (= )ofπe πe τ 6round. Step 4 requires about (= )ofπo τ σ. Step 6 requires about of π o γ o operations since =2 32 {1+( )+( ) 2 + +( ) } Consequently, since we repeat this procedure twice, this attack requires about 2 91 chosen plaintexts and encryptions of Crypton reduced to 6 rounds. 3.4 A Variant of the Attack Using Memory In this subsection, we describe a variant of the impossible differential cryptanalysis of the former subsection using memory. Precomputation Stage Take all =2 42 pairs of four bytes in the first column which differ only in one byte(this is the data after one round encryption except the first round key addition). For these pairs, we undo the encryption of the first round, i.e., perform τ, π and γ, and create a hash table containing one of the inputs of γ transformation and the XOR of two inputs x y, indexed by x y, where x, y are the inputs of the γ transformation.
10 48 Jung Hee Cheon et al. Table 1. Complexity of 6-Round Impossible Differential Attack Cipher Attack Round Chosen Ciphertexts Complexity Square attack 6 round Rijndael Impossible differential attack 5 round round Square attack 6 round 2 32 (2 32 Mem.) 2 56 Crypton Impossible differential attack 5 round round Step 4 At first, perform π γ π τ operations for all ciphertexts, and store the pairs (C, U C ) where C is a ciphertext and U C is a corresponding result after π transformation. For each ciphertext pair (C, C ), compare U C and U C and choose pairs whose difference U C U C is zero at the row 0 and 1. Since the probability is p =2 32, the expected number of the remaining pairs is = Step 5 For a pair (P, P ) with ciphertext pairs passing Step 4, we compute x y and use the hash table to fetch the about 2 10 possibility of x which correspond to the computed x y. This process identities about 2 10 wrong key by XORing the plaintexts and the x s. If we replace Step 4 and Step 5 by Precomputation stage, Step 4 and Step 5, the complexity is as follows: Step 4 requires π γ π τ operations and operations of two times memory access and comparison which is about 2 14 times faster than the 6-round Crypton. Hence Step 4 is equivalent to about encryptions. In addition, Step 4 requires = memory. In Step 5, for remaining plaintext pairs we get rid of 2 10 impossible keys by XORing the plaintext and x s which requires about 2 32 encryptions for each assumed key K eq 6. To sum up, this attack requires plaintexts, encryptions and bytes of memory. 4 Conclusion In this paper, we described an impossible differential attack against Rijndael and Crypton reduced to 6 rounds. The attack against Rijndael reduced to 6 rounds requires about chosen plaintexts and encryptions. The attack against Crypton reduced to 6 rounds requires about 2 91 chosen plaintexts and encryptions, or plaintexts, encryptions and bytes of memory. We summarize the complexities of our attacks together with those of previous works in Table 1. We expect that this method can be applied to other block ciphers with SPN Structure.
11 Improved Impossible Differential Cryptanalysis of Rijndael and Crypton 49 References 1. The Advanced Encryption Standard, 2. E. Biham and A. Shamir, Differential Cryptanalysis of DES-like Cryptosystems, J. of Cryptology, Vol. 3, pp.27-41, E. Biham and N. Keller, Cryptanalysis of Reduced Variants of Rijndael, /aes/round2/conf3/aes3papers.html 4. C. D Halluin, G. Bijnens, V. Rijmen, and B. Preneel, Attack on Six Rounds of Crypton, Proc. of Fast Software Encryption 99, Lecture Notes in Computer Science Vol. 1636, pp , Springer-Verlag, J. Daemen, L. Knudsen, and V. Rijmen, The Block Cipher Square, Proc. of Fast Software Encryption 97, Lecture Notes in Computer Science Vol. 1267, pp , J. Daemen and V. Rijmen, AES Proposal: Rijndael, /encryption/aes/rijndael/ 7. C. Lim, A Revised Version of Crypton - Crypton 1.0, Proc. of Fast Software Encryption 99, Lecture Notes in Computer Science Vol. 1636, pp , Springer- Verlag, M. Matsui, Linear Cryptanalysis Method for DES cipher, Proc. of Eurocrypt 93, Lecture Notes in Computer Science Vol. 765, pp , Springer-Verlag, H. Seki and T. Kaneko, Cryptanalysis of Five Rounds of CRYPTON Using Impossible Differentials, Proc. of Asiacrypt 99, Lecture Notes in Computer Science Vol. 1716, pp.43-51, Stefan Lucks, Attacking Seven Rounds of Rijndael under 192-bit and 256-bit Keys, Proc. of Third AES Candidate Conference, AES3, 2000.
A Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationSpecification on a Block Cipher : Hierocrypt L1
Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationLow Complexity Differential Cryptanalysis and Fault Analysis of AES
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low
More informationA SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES
A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES MOHAMMAD MUSA, EDWARD F SCHAEFER, AND STEPHEN WEDIG Abstract In this paper, we describe a simplified version of the Rijndael
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationSecurity of the SMS4 Block Cipher Against Differential Cryptanalysis
Su BZ, Wu WL, Zhang WT. Security of the SMS4 block cipher against differential cryptanalysis. JOURNAL OF COM- PUTER SCIENCE AND TECHNOLOGY 26(1): 130 138 Jan. 2011. DOI 10.1007/s11390-011-1116-9 Security
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationImpossible Differential Cryptanalysis of Reduced-Round SKINNY
Impossible Differential Cryptanalysis of Reduced-Round SKINNY Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montréal,
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationImproved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256
Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Leibo Li 1 and Keting Jia 2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics,
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationS-box (Substitution box) is a basic component of symmetric
JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates
More informationA Unified Method for Finding Impossible Differentials of Block Cipher Structures
A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai
More informationRelated-Key Rectangle Attack on 42-Round SHACAL-2
Related-Key Rectangle Attack on 42-Round SHACAL-2 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham, Surrey TW20
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD
ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD Paul D. Yacoumis Supervisor: Dr. Robert Clarke November 2005 Thesis submitted for the degree of Honours in Pure Mathematics Contents 1 Introduction
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationSome integral properties of Rijndael, Grøstl-512 and LANE-256
Some integral properties of Rijndael, Grøstl-512 and LANE-256 Marine Minier 1, Raphael C.-W. Phan 2, and Benjamin Pousse 3 1 Universit de Lyon, INRIA, INSA-Lyon, CITI, 2 Electronic & Electrical Engineering,
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationBit-Pattern Based Integral Attack
Bit-Pattern Based Integral Attack Muhammad Reza Z aba 1,Håvard Raddum 2,,MattHenricksen 3, and Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane,
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationKey Difference Invariant Bias in Block Ciphers
Key Difference Invariant Bias in Block Ciphers Andrey Bogdanov, Christina Boura, Vincent Rijmen 2, Meiqin Wang 3, Long Wen 3, Jingyuan Zhao 3 Technical University of Denmark, Denmark 2 KU Leuven ESAT/SCD/COSIC
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationNew Insights on AES-Like SPN Ciphers
New Insights on AES-Like SPN Ciphers Bing Sun 1,2,3, Meicheng Liu 3,4, Jian Guo 3, Longjiang Qu 1, Vincent Rijmen 5 1 College of Science, National University of Defense Technology, Changsha, Hunan, P.R.China,
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationDifferential and Rectangle Attacks on Reduced-Round SHACAL-1
Differential and Rectangle Attacks on Reduced-Round SHACAL-1 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham,
More informationOn Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds
On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds Taizo Shirai 1, and Bart Preneel 2 1 Sony Corporation, Tokyo, Japan taizo.shirai@jp.sony.com 2 ESAT/SCD-COSIC, Katholieke Universiteit
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark Practical Information
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-18 Pierre-Alain Fouque 1, Jérémy Jean,, and Thomas Peyrin 3 1 Université de Rennes 1, France École Normale Supérieure, France 3
More informationAn Analytical Approach to S-Box Generation
An Analytical Approach to Generation K. J. Jegadish Kumar 1, K. Hariprakash 2, A.Karunakaran 3 1 (Department of ECE, SSNCE, India) 2 (Department of ECE, SSNCE, India) 3 (Department of ECE, SSNCE, India)
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationNew Combined Attacks on Block Ciphers
New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationStructural Cryptanalysis of SASAS
J. Cryptol. (2010) 23: 505 518 DOI: 10.1007/s00145-010-9062-1 Structural Cryptanalysis of SASAS Alex Biryukov University of Luxembourg, FSTC, Campus Kirchberg, 6, rue Richard Coudenhove-Kalergi, 1359 Luxembourg-Kirchberg,
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationHardware Design and Analysis of Block Cipher Components
Hardware Design and Analysis of Block Cipher Components Lu Xiao and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland St.
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi 1, Christian Rechberger 1,3 and Sondre Rønjom 2,4 1 IAIK, Graz University of Technology, Austria 2 Nasjonal sikkerhetsmyndighet,
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationImproved Cascaded Stream Ciphers Using Feedback
Improved Cascaded Stream Ciphers Using Feedback Lu Xiao 1, Stafford Tavares 1, Amr Youssef 2, and Guang Gong 3 1 Department of Electrical and Computer Engineering, Queen s University, {xiaolu, tavares}@ee.queensu.ca
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationRevisiting AES Related-Key Differential Attacks with Constraint Programming
Revisiting AES Related-Key Differential Attacks with Constraint Programming David Gérault, Pascal Lafourcade, Marine Minier, Christine Solnon To cite this version: David Gérault, Pascal Lafourcade, Marine
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationPractically Secure against Differential Cryptanalysis for Block Cipher SMS4
Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Zhang MeiLing 1, Liu YuanHua 1, Liu JingMei 2,3, Min XiangShen 1 1. School of communication and information engineering, Xi an
More informationIntegrals go Statistical: Cryptanalysis of Full Skipjack Variants
Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.cn Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China;
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationDifferential Fault Analysis of AES using a Single Multiple-Byte Fault
Differential Fault Analysis of AES using a Single Multiple-Byte Fault Subidh Ali 1, Debdeep Mukhopadhyay 1, and Michael Tunstall 2 1 Department of Computer Sc. and Engg, IIT Kharagpur, West Bengal, India.
More informationIntegral and Multidimensional Linear Distinguishers with Correlation Zero
Integral and Multidimensional Linear Distinguishers with Correlation Zero Andrey Bogdanov 1, regor Leander 2, Kaisa yberg 3, Meiqin Wang 4 1 KU Leuven, ESAT/SCD/COSIC and IBBT, Belgium 2 Technical University
More informationOn Correlation Between the Order of S-boxes and the Strength of DES
On Correlation Between the Order of S-boxes and the Strength of DES Mitsuru Matsui Computer & Information Systems Laboratory Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan
More informationDifferential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy
Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium wu.hongjun,bart.preneel@esat.kuleuven.be
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationPerfect Diffusion Primitives for Block Ciphers
Perfect Diffusion Primitives for Block Ciphers Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay École Polytechnique Fédérale de Lausanne (Switzerland) {pascaljunod, sergevaudenay}@epflch
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationChapter 2 - Differential cryptanalysis.
Chapter 2 - Differential cryptanalysis. James McLaughlin 1 Introduction. Differential cryptanalysis, published in 1990 by Biham and Shamir [5, 6], was the first notable cryptanalysis technique to be discovered
More informationHuman-readable Proof of the Related-Key Security of AES-128
Human-readable Proof of the Related-Key ecurity of AE-128 Khoongming Khoo 1, Eugene Lee 2, Thomas Peyrin 3,4,5 and iang Meng im 3 1 DO National Laboratories, ingapore kkhoongm@dso.org.sg 2 Raffles Institution,
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationSiwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song
Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers Siwei Sun, Lei Hu, Peng Wang, Kexin
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationNew Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationTruncated differential cryptanalysis of five rounds of Salsa20
Truncated differential cryptanalysis of five rounds of Salsa20 Paul Crowley 17th October 2005 Abstract We present an attack on Salsa20 reduced to five of its twenty rounds. This attack uses many clusters
More informationSubstitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis
J. Cryptology (1996) 9: 1 19 1996 International Association for Cryptologic Research Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis Howard M. Heys and Stafford E.
More information